BSides Tirana 2025
Registration and Networking
Registration and networking over fresh coffee and pastries.
Opening Speech
Valentina Palmiotti
Keynote Speaker
BSides Tirana 2025 Keynote
Andrey Parshin
You, But Not You? How Your Digital Identity Becomes a Fraudster’s Mask
Cybercriminals are turning to browser fingerprinting as a powerful tool for online fraud. These unique digital signatures, made up of your device, browser, and behavior data, can be stolen and reused to impersonate real users, bypass security systems, and carry out attacks undetected.
In this session, we will explore how browser fingerprints are collected, how threat actors use them to automate attacks such as credential stuffing, fake account creation, and data scraping, and why traditional defenses often fall short. Most importantly, you will gain actionable strategies to protect your digital identity from these stealthy and rapidly evolving threats.
Robert Shala, Armend Gashi
Hijacking AI Agents with ChatML Role Injection
Large-language-model wrappers increasingly rely on the “ChatML” format to segregate system, assistant, and user roles, yet those delimiters introduce a critical design flaw: there is a role hierarchy but no ChatML/server-side RBAC or parameter-level trust boundary built in to ChatML or its chat-completions JSON wrapper. Any client that can speak ChatML can also impersonate privilege, similar to the logical flaws of early-2000s web apps. To make it worse: everybody and their mother forked this thing with roles/privileges but no built-in RBAC pioneered by leading model providers.
In twenty minutes we will walk through the anatomy of that oversight and unveil three vendor-agnostic role-injection techniques that bypass guardrails, trigger unbounded consumption, and hijack function calls in under 50 tokens. We then pivot to parameter pollution, showing how JSON key overrides (temperature, system, tools) can be further used to abuse agents.
Adi Dibra
Using Predictive Insights and Red Team Tactics to Fortify Defenses
Cyber threats are changing fast, and just reacting to attacks is not enough anymore. In this talk I will explore why thinking like a Red Teamer helps us understand their methods, Tactics, Techniques, and Procedures (TTPs). A representation of how Red Teamers scour the internet, and not only to be one step ahead of Blue Teamers. It is the Blue Teamers job to step up their game in order to make it much harder, more expensive, and less rewarding for the Red Teamers to succeed. Blue Teamers should use the data, not to understand the past but to predict the future.
Erblind Morina
Cloud IR: A Rapid Guide for AWS, Azure & GCP
This presentation walks through how to respond to common cloud attacks, like compromised credentials or lateral movement, across the biggest cloud providers, including AWS, Azure, and GCP. It includes a downloadable cheatsheet to help incident responders quickly identify key log sources, collect forensic artifacts, and take immediate action in case of IR. Real-world tips, scripts, and IBM X-Force Incident Response best practices will help teams boost readiness and real-time response for cloud-related cases.
Phil Keeble
Compromising backups for fun and profit
In this talk the attack surface of Veeam and Rubrik will be explored. Veeam and Rubrik are two very common domain backup solutions with various components and they are a guaranteed critical objective for red teamers. Some ways of compromising them will be explored and a new BOF will be discussed for the decryption of credentials which allowed for our red team to pivot through a tightly secured red forest recently by owning Veeam. Rubrik will also be explored as an alternate option to see how it is structured and explore possibilities.
Panel Discussion
TBD
Lunch Break
Berk Imran
Red Team Activities in Civil Aviation
This talk presents an in-depth red team analysis of civil aviation systems, focusing on critical vulnerabilities in protocols used by aircraft during flight and landing. The session explores how attackers can manipulate the Instrument Landing System (ILS) to divert aircraft during low-visibility landings, how the ACAS/TCAS collision-avoidance system can be exploited to trigger mid-air collision risks, and how spoofing the ADS-B protocol can mislead air traffic controllers with false aircraft data. The presentation includes real-world simulations, attack vectors, and defense recommendations to enhance aviation cybersecurity awareness and resilience.
Vangelis Stykas
Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels
Ransomware groups have become notably proficient at wreaking havoc across various sectors, but we can turn the tables. However, a less explored avenue in the fight against these digital adversaries lies in the proactive offense against their web panels. In this presentation, I will delve into the strategies and methodologies for infiltrating and commandeering the web panels used by ransomware groups to manage their malicious operations or the APIs used during their initial exfiltration of data.
I will demonstrate how to leverage these vulnerabilities to gain unauthorized access to the ransomware groups' web panels. This access not only disrupts their operations but also opens a window to gather intelligence and potentially identify the operators behind those APTs. Let’s explore the frontiers of cyber offense, targeting the very command and control (C2) centers that ransomware groups rely on, turning the tables in our ongoing battle against cyber threats. It’s our turn to wreak havoc..
Nick Dunn
Using the OWASP Top 10 to Save the Astronauts from HAL
A discussion of the OWASP ML Top 10 and OWASP LLM Top 10, and how a failure to apply these principles in the movie 2001 A Space Odyssey, led to disastrous consequences for the crew.
The talk will use the OWASP Top 10 for ML and OWASP Top 10 for LLMs to anyalze the nature of the flaws in HAL 9000, the AI in 2001: A Space Odyssey, and how this led to disastrous results for the mission.
There will be a discussion of failures to consider different aspects of both the LLM and ML top 10 during HAL's design and training phases, and the subsequent attempts to implement fixes during the mission. Each omission or failure to apply an OWASP principle, that led to the vulnerabilities will be discussed in detail, and also related to real life applications, to ensure the talk isn't just a geeky discussion of a cool-looking scf-fi AI.
Coffee Break
Andi Ahmeti
Inbox Under Siege: Real-World BEC Attacks, Tactics & Lessons Learned
Business Email Compromise (BEC) remains one of the most lucrative and evolving cyber threats, costing organizations billions annually. This session takes a deep dive into real-world BEC attacks, dissecting the tactics used by adversaries, from social engineering and credential theft to the abuse of inbox rules for stealthy persistence. Attendees will gain insights into how attackers manipulate trust, bypass security measures, and execute fraudulent transactions—often without triggering traditional alerts.
Using real case studies, we’ll explore how inbox rules play a critical role in concealing fraudulent communications, intercepting emails, and evading detection. The session will also cover detection strategies and actionable defenses to help security teams stay ahead of BEC threats.
Whether you're in threat hunting, incident response, or security leadership, this talk will provide practical takeaways to better protect your organization from BEC attacks.
Georg Ph. E. Heise
Breaking Bad AD: What Red Teams Wish You'd Fix Yesterday
Active Directory (AD) remains a cornerstone of enterprise IT infrastructure, yet it often harbours misconfigurations that adversaries exploit with alarming ease. Despite advancements in security practices, many organisations continue to grapple with outdated software, excessive permissions, and neglected configurations, leaving them vulnerable to sophisticated attacks.
This session will examine real-world scenarios in which mismanaged AD environments could have led to significant security breaches. We’ll also look into how this could have been avoided and how small- to medium-sized businesses can have an up-to-date Active Directory that makes adversaries' lives hard.
Closing Speech
- Closing speech
- Announcement of Capture the Flag winners
Blerim Jahiu
Use of AI in offensive Cybersecurity , Integration of ShellGPT into Parrot Security or Kali Linux
Use of AI in Offensive Cybersecurity
This workshop explores the transformative role of Artificial Intelligence (AI) in offensive cybersecurity. Participants will gain insights into the evolution of offensive security, from traditional penetration testing to the integration of AI-powered automated attacks. The session will highlight key AI technologies, including machine learning, natural language processing (NLP), and deep learning, and their applications in reconnaissance, exploitation, and post-exploitation phases.
- Key topics covered include:
- The evolution of offensive cybersecurity techniques
- Advantages and risks of using AI in red-teaming operations
- How AI can enhance the speed, precision, and scalability of attacks
- Ethical and legal considerations in the use of AI in offensive campaigns
- Future trends, including autonomous red team agents and multimodal AI
The workshop will feature live demonstrations of AI tools like ShellGPT in a Linux terminal, showing practical applications of AI in real-world offensive security scenarios. Participants will leave with a deeper understanding of how AI is shaping the future of cybersecurity and how to responsibly integrate these tools into their operations.
Robert Shala
Wargaming Cyber Persistence - “Exploitation, Not Coercion”
Exploitation, Not Coercion is a strategic/operational level wargame designed to explore the realities of contemporary state-sponsored cyber operations. Unlike traditional conflict that is shaped by coercive dynamics, this game is built on the concepts of cyber persistence theory, persistent engagement, and the dynamics of continuously converting exploitation into meaningful, strategic outcomes. Players take on the roles of CMU/APT units, building capacities and managing resource constraints to achieve strategic goals. Through asymmetric objectives, asymmetric capabilities, and dynamic resource allocation, the game models real-world challenges such as:
- Managing talent, equities, and capability pipelines
- Gaining and maintaining access in changing environments
- Managing stealth and operational security
- Trade-offs between speed, scale, scope, and long-term persistence.
The workshop blends hands-on gameplay with strategic discussion, giving participants insight into both the technical and strategic dimensions of cyber conflict.
Sina Kheirkhah
Advanced .NET Exploitation Workshop (BSides Tirana 2025)
About the workshop
Join us for a special 1-day hands-on workshop with the Summoning Team, based on their acclaimed Advanced .NET Exploitation Training (normally €4K). You'll dive into real-world .NET exploitation techniques, learn to chain bugs, bypass mitigations, and pop shells — all in a friendly and practical environment.
Taught by Sina Kheirkhah (@SinSinology), Pwn2Own "Master of Pwn"
Learn from one of the best in the game!
Spots are limited. Don’t miss it!
Coffee, food & snacks included
Buy Tickets: https://www.eventbrite.com/e/advanced-net-exploitation-workshop-bsides-tirana-2025-tickets-1404861551719?aff=oddtdtcreator